- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-10-2013 12:22 AM
Hi all,
I have 4 virtual systems and have 2 requirements:
1. That VSYSs must go to internet by difference lines (we have 4 WAN lines)
2. That VSYSs can communicate with other VSYS.
I assign 4 Virtual routers for that VSYSs and resolve the requirement 1
But I cant do route between virtual systems
Can anyone help?
Thanks.
Binh.
04-10-2013 09:11 AM
Hello,
Have you referred to this document about inter-vsys communication, see:
How to Set Up Shared Gateway and Inter VSYS
Hope that helps,
Aditi
04-10-2013 07:57 PM
Hi Aditi,
Thanks for your reply, but, in that document, all VSYSs use the same Virtual router.
My case is: VSYS-A uses VR-A, VSYS-B uses VR-B and I have done with inter VR-routing. We need to create a static route with next hop is: VR.
Example:
VSYS-A has subnet: 172.16.1.0/24
VSYS-B has subnet: 172.16.2.0/24
User A: 172.16.1.2/24 want to connect to User B: 172.16.2.2/24
Create a static route in VR-A with destination: 172.16.2.0/24, next hop: VR-B
And then create: external zone, policies, ...to allow traffic.
Regards,
Binh.
04-12-2013 07:37 AM
Essentially you are creating 4 separate Firewalls when you create separate VRs and VSYS'. There is another post that has some suggestions to your question in https://live.paloaltonetworks.com/message/4430#4430. Specifically -
PThomas Oct 14, 2011 5:23 PM (in response to KMacnaughton)
Nick,
Version 4 now allows you to configure statics routes that you can nominate a Virtual Router (VR) as the next hop!!!
This new 4.x function allowed me remove the physical cable that join the VRs is seperate Virtual System (VS) and move back to just virtual routers in a single VS.
My real base requirement is for multiple VRs to handle multiple Internet connections (8 in total). Internal networks with their own ISP link but then they decided they want to share each others printers so the ffirewall needed to allow comms between them.
The reason for employing VSs in the first place was because I found the policy engine could not track the connection properly (looping back through the physical cable to join VRs) unless I placed the virtual routers in different VSs. That is to say connecting virtual routers together using a physical cable did not work if the VRs were in the same VS. Put them in different VMs and everything worked fine.
I have successfully used the new static routing to route directly between VRs in the same VS.
What you'll need to test is if you can successfully use statics to route directly to a VR in a different VS.
I know the routing will work. It's the policy that concerns me. You need to set up an external zone but there is no interface to associate it with (the static route is a bit of an auto-magic thing). Maybe you can try setting the zone to "Any".
I'd like to know the result if you do test this. It is on my to do list.
Another Document is http://www.paloaltonetworks.com/literature/techbriefs/Virtual_Systems.pdf.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!